我一直在网上搜索,但似乎找不到这个问题的明确答案。我被迫使用 PowerShell v2。我知道使用以下命令将为我提供所有防火墙规则的列表:
netsh advfirewall firewall show rule name=all
但是它得到的输出如下:
Rule Name: Core Networking - Teredo (ICMPv6-In)
---------- ------------------------------------
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping: Core Networking
LocalIP: Any
RemoteIP: Any
Protocol: ICMPv6
Type Code
128 Any
Edge traversal: No
Action: Allow
但是我需要找到规则创建/启用的确切时间。这可能吗?或者,有没有办法设置临时(定时)Windows 防火墙规则?
*编辑:似乎确实没有办法使用 netsh 或防火墙特定的 powerhshell v2 cmdlet 来执行此操作,但是我相信我的解决方案可能位于事件 ID 为 2004/2006 下的 /应用程序和服务日志/Microsoft/Windows/Windows 防火墙与高级安全/防火墙日志中。
****编辑:**以下命令可用于查看实例 ID 2004(已将规则添加到防火墙...):
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.ID -eq "2004"}
*****编辑:**就目前而言,以下命令是收集此信息的最快方法Measure-Command -Expression。您可以根据需要修改开始/结束时间或将其完全删除:
Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"; id=2004; StartTime=(Get-Date).AddMinutes(-5); EndTime=Get-Date}
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 166
Ticks : 1662222
TotalDays : 1.92386805555556E-06
TotalHours : 4.61728333333333E-05
TotalMinutes : 0.00277037
TotalSeconds : 0.1662222
TotalMilliseconds : 166.2222
并获得这样的输出(您可以通过将其传输到类似以下内容来获取完整的消息文本Format-List:
ProviderName: Microsoft-Windows-Windows Firewall With Advanced Security
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
4/28/2014 2:42:26 PM 2004 Information A rule has been added to the Windows Firewall exception list....
4/28/2014 11:56:43 AM 2004 Information A rule has been added to the Windows Firewall exception list....
更新后的问题是这样的:有没有办法获取这些信息,而不是Message列,而是获取Rule Name(下面的格式列表管道)
TimeCreated : 4/28/2014 10:50:54 AM
ProviderName : Microsoft-Windows-Windows Firewall With Advanced Security
Id : 2004
Message : A rule has been added to the Windows Firewall exception list.
Added Rule:
Rule ID: ...
Rule Name: Dummy rule
Origin: Local
Active: Yes
Direction: Inbound
Profiles: Private,Domain, Public
Action: Block
Application Path:
Service Name:
Protocol: Any
Security Options: None
Edge Traversal: None
Modifying User: ...
Modifying Application: ...
预期输出将是这样的:
TimeCreated Rule Name
----------- ---------
4/28/2014 2:42:26 PM Dummy rule
4/28/2014 11:56:43 AM Dummy rule
答案1
已经过去至少一天了,所以我认为可以回答我自己的问题(我想我在错误的地方问了这个问题,可能更适合 Stack Overflow):
$Events = Get-WinEvent -ErrorAction SilentlyContinue -FilterHashtable @{logname="Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"; id=2004}
ForEach ($Event in $Events) {
$eventXML = [xml]$Event.ToXml()
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
Add-Member -InputObject $Event -MemberType NoteProperty -Force `
-Name $eventXML.Event.EventData.Data[$i].name `
-Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
$Events | Format-Table -Property TimeCreated,RuleName -AutoSize
输出看起来和我想要的完全一样:
TimeCreated RuleName
----------- --------
4/28/2014 2:42:26 PM Dummy Rule
4/28/2014 11:56:43 AM Dummy Rule
希望这对将来的某人有所帮助。谢谢。